Encrypted data delivery system

ABSTRACT

A system structured from a management device, a content key distribution device and a plurality of terminals suppresses the data volume of a terminal revocation list (TRL). The management device generates and transmits a TRL formed from data that expresses terminal IDs of all terminals to be invalidated, by only a value and a position of a common bit string in the IDs, to the content key distribution device. Each terminal holds a terminal ID that includes a manufacturer, ID and a serial number, and requests the distribution of a content key by sending the terminal ID to the content key distribution device. The content key distribution device refers to the TRL, judges whether the terminal ID transmitted from the terminal is that of an invalidated terminal, and if negative, encrypts and transmits the content key to the terminal.

TECHNICAL FIELD

The present invention relates to encryption communications systems, andin particular to an encryption communications system that includes anencryption communications device that does not accept requests from someof a plurality of terminals, and accepts requests from and transmitsencrypted data to the other terminals.

BACKGROUND ART

In recent years there has been extensive development of systems forconducting electronic business transactions and the like using theInternet.

Encryption technology is used in data communications conducted as partof electronic business transactions and the like. For example, publickey encryption related encryption communications systems are often usedfor authenticating another communications party, and secret keyencryption related encryption communications systems are often used fordistributing data safely. Encryption technology relating to public keyand secret key encryption systems is described in detail in ContemporaryEncryption Theory (Nobuichi Ikeno, Kenji Koyama, Institute of Electricaland Electronic Engineers, 1986)

In relation to public key encryption related encryption communicationssystems, generally a public key certificate, issued by an organ known asthe authentication bureau and for verifying the correspondence between apublic key and the whoever or whatever has possession of the public key,is sent attached to the public key. The public key certificate isbasically public information that does not need to be handled secretly.A secret key paired with a public key, however, needs to be managedsecretly.

Normally, a public key certificate has a valid period, although if asthe result of an accident or incident a secret key paired with a publickey either has been or has possibly been disclosed, the public keycertificate needs to be invalidated, even if still within the validperiod.

As a method of invalidating a public key certificate, a method involvingthe public release of a certificate revocation list (CRL) is shown inSecure Electronic Commerce: Building the Infrastructure for DigitalSignatures and Encryption (Warwick Ford, Michael S. Baum, Prentice Hall,1997). A CRL includes the serial numbers of all public key certificatesto be invalidated, and a mechanism can be constructed that, using a CRL,invalidates and makes unusable public key certificates having serialnumbers included in the CRL.

Also, in the case of a distribution service in which a distributiondevice distributes keys for decrypting digital content (hereafter“content keys”) in response to requests from a large number of terminalsthat receive/playback digital content and which are required toappropriately use video and other digital content encrypted for reasonsof copyright protection and the like, the distribution of content keysshould, in view of copyright protection and the like, be carried outonly with respect to appropriate terminals.

In this distribution service, it is imagined that a distribution systemor the like be used in which terminals each have a unique secret key,and a distribution device for distributing keys receives, from aterminal, notification of a terminal identifier (terminal ID) unique tothe terminal, together with a content key distribution request, performson a content key an encryption that is only possible using the secretkey unique to the terminal, and transmits the encrypted content key tothe terminal.

In this case, if ascertained that a problem exists with a secret keypackaging method in a terminal manufactured by a certain manufacturer,it will be necessary to stop distribution of content keys to allterminals produced by this manufacturer.

Furthermore, in relation to a mechanism that, for example, prevents thecopying of digital content in a terminal, it will be necessary to stopdistribution of content keys to all terminals produced by a certainmanufacturer if a method for neutralizing this mechanism in terminalsmanufactured by the manufacturer is disclosed.

In other words, it will sometimes be necessary to stop the distributionof content keys to terminals that have been corrupted.

As a method of responding to this requirement, a distribution device ina distribution service can be structured to receive a terminal IDtogether with a content key distribution request from a terminal, to usea “terminal revocation list” (TRL), being a variant of the above CRL inwhich, instead of the serial numbers of public key certificates, theterminal IDs relating to all terminals to be invalidated are included,to distribute keys in response to a distribution request only when thereceived terminal ID is not included in the TRL, and to not respond to adistribution request if the terminal ID is included in the TRL.

According to the above method, however, a data size of the TRL when alarge number of terminals require invalidating is enormous, since theterminal IDs of all of these terminals are included.

As an example, if 40 terminals are targeted by the distribution service,each terminal ID is a piece of fixed length data of 4 bytes or more, and1% of these terminals require invalidating, the data size of the TRLwill be at least 160 megabytes.

For this reason, in is feared that a distribution service in which, inorder to handle a large number of terminals, (i) a large number ofdistribution devices for distributing content keys are provided anddispersed throughout various regions or the like, (ii) a TRL isgenerated in a single management device and sent, after having a digitalsignature included therein, to the distribution devices via a publiccommunications network or the like, and (iii) each distribution devicejudges, based on the TRL, whether distribution of a content key to aterminal is permissible, will not prove practical because of either thevoluminous communication data or the voluminous data that thedistribution devices are required to hold.

For example, if a TRL is sent out every time there is an increase in thenumber of terminals to be invalidated, communication bottlenecks arelikely to occur due to the large volume of communication data. Moreover,if a distribution device is structured to request a new TRL from amanagement device when a distribution request is received from aterminal together with a terminal ID, and, after receiving the TRL, tocollate the received terminal ID based on the TRL, the response by thedistribution device to the request from the terminal will be delayed asa result of the length of time required in the reception of the TRL.

DISCLOSURE OF THE INVENTION

In view of the above issue, an object of the present invention is toprovide an encryption communications system that conducts a servicerelating to encryption communication, such as encrypting a content keyand only distributing the encrypted content key to appropriate terminals(i.e. excluding those terminals to be invalidated) based on a TRL, andthat suppresses the data size of the TRL and improves practicability.

A further object of the present invention is to provide varioustechnologies that contribute to the construction of the above encryptioncommunications system.

An encryption communications system provided to achieve the above objectincludes an encryption communications device, a plurality of terminalsthat are each operable to transmit to the encryption communicationsdevice an identifier, which is a bit string having a predeterminednumber of bits for identifying the terminal, and a management devicethat generates invalidated-terminal information showing one or more ofthe identifiers as information specifying one or more terminals to beinvalidated. The management device has an invalidated-terminalinformation generation unit operable to generate theinvalidated-terminal information using a data format that genericallyexpresses, by information specifying a value of a section in a bitstring having the predetermined number of bits, all identifiers in whicha value of the section matches the specified value; and an output unitoperable to output the generated invalidated-terminal information. Theencryption communications device has an invalidated-terminal informationacquisition unit operable to acquire the invalidated-terminalinformation outputted by the management device; an identifier receivingunit operable, when an identifier is transmitted from one of theterminals, to receive the identifier; a judging unit operable to judgewhether the received identifier matches any of the one or moreidentifiers shown by the invalidated-terminal information as informationspecifying one or more terminals to be invalidated; and a communicationunit operable (i) when judged to not be any matches, to conduct apredetermined communication with the terminal that transmitted theidentifier, by performing an encryption unique to the terminal, and (ii)when judged to be a match, to not conduct the predeterminedcommunication with the terminal.

Here, the encryption communications device is, for example, a contentkey distribution device as shown in embodiments 1 to 3, thepredetermined communication is, for example, the transmission of anencrypted content key, and the invalidated-terminal information is, forexample, a TRL (“terminal revocation list”) as shown in embodiments 1 to3.

According to the present invention, all terminal IDs that include acertain bit string are expressed generically by information specifying avalue of and a position in a common bit string included in theseterminal IDs, and thus it is possible to comparatively suppress the sizeof the TRL data volume, and as a result, realize a practical encryptioncommunications system that conducts a service related to encryptioncommunication, such as encrypting a content key and only distributingthe encrypted content key to appropriate terminals (i.e. excluding thoseterminals to be invalidated) based on a TRL.

Furthermore, the invalidated-terminal information (i) may include one ormore sets of corresponded value and position information, each piece ofvalue information showing a value of a section of a bit string havingthe predetermined number of bits, and a corresponding piece of positioninformation being for specifying a bit position of the section in thebit string, and (ii) may be information specifying, as a terminal to beinvalidated, all terminals identified respectively by all identifiers inwhich a value of a partial bit string located in a bit positionspecified by a piece of position information matches a value shown by apiece of value information corresponding to the piece of positioninformation, and the judging unit may (i) verify, for each piece ofposition information, whether a value, in the received identifier, of apartial bit string located in a bit position specified by the piece ofposition information matches a value shown by a piece of valueinformation corresponding to the piece of position information, and (ii)judge, when verified that there is at least one match, that the receivedidentifier matches an identifier shown by the invalidated-terminalinformation.

According to this structure, because the invalidated-terminalinformation is structured in a format that corresponds a value and aposition of a section of a terminal ID, a value of an arbitrary bitstring range can express all of the common terminal IDs by informationformed from value/position sets, without having to fixedly determine aposition of the section by an operational rule or the like, and thus ifeffectively operated, it is possible to express a large number ofinvalidated terminals by a small information volume.

Furthermore, the invalidated-terminal information (i) may include one ormore sets of corresponded representative information and mask flags,each piece of representative information being a bit string having thepredetermined number of bits, and a corresponding mask flag having thepredetermined number of bits, and (ii) may be information specifying, asa terminal to be invalidated, all terminals identified by identifiers inwhich a value of a section having a bit value of “1” in a mask flagmatches a value of the section in a piece of representative informationcorresponding to the mask flag, and the judging unit may (i) verify, foreach mask flag, whether an AND of the mask flag and the receivedidentifier matches an AND of the mask flag and a piece of representativeinformation corresponding to the mask flag, and (ii) judge, whenverified that there is at least one match, that the received identifiermatches an identifier shown by the invalidated-terminal information.

According to this structure, in a format that expresses a large numberof terminal IDs by sets which each comprise a value of a section in aterminal ID and a bit position of the section, a bit positionstructuring the section is shown by a position having a mask flag valueset to “1”, and a bit position not structuring the section is shown by aposition having a mask flag value set to “0”. Consequently, it ispossible to extract, out of a terminal ID received from a terminal, asection to be collated with a value included in the invalidated-terminalinformation, by an easy calculation having a small number ofcomputations that involves performing an AND (i.e. logical product)operation on the received terminal ID and a mask flag. This helps tospeed up the judgments conducted in the encryption communicationsdevice.

Furthermore, the invalidated-terminal information generation unit maygenerate isolated-value information for including in theinvalidated-terminal information, each piece of isolated-valueinformation having the predetermined number of bits, theinvalidated-terminal information may be information further specifying,as a terminal to be invalidated, terminals identified by identifiersthat match a piece of isolated-value information, and the judging unitmay further judge, when the received identifier matches a piece ofisolated-value information, that the received identifier matches anidentifier shown by the invalidated-terminal information.

Here, isolated-value information is, for example, discrete informationas shown in FIG. 8. According to this structure, when a terminal ID ofan invalidated terminal does not have a common bit with a terminal ID ofother invalidated terminals (i.e. when a terminal ID is discrete), thediscrete terminal ID is included in the invalidated-terminal informationas isolated-value information, and thus, when there are a large numberof invalidated terminals having discrete terminal IDs, it is possible tostructure the invalidated-terminal information with a smaller amount ofdata than when a format is used that expresses the discrete IDs by setswhich each consist of a value of a discrete terminal ID and a mask flagin which all the bits are “1”.

Furthermore, the invalidated-terminal information (i) may include one ormore sets of corresponded significant-digit and value information, eachpiece of significant-digit information showing a number of bit digits,and a corresponding piece of value information showing a value of a bitstring having the number of bit digits, and (ii) may be informationspecifying, as a terminal to be invalidated, all terminals identified byidentifiers in which a value of a bit string having, from a mostsignificant bit, a number of bit digits shown by a piece ofsignificant-digit information matches a value shown by a piece of valueinformation corresponding to the piece of significant-digit information,and the judging unit may (i) verify, for each piece of significant-digitinformation, whether, in the received identifier, a value of a bitstring having, from a most significant bit, a number of bit digits shownby the piece of significant-digit information matches a value shown by apiece of value information corresponding to the piece ofsignificant-digit information, and (ii) judge, when verified that thereis at least one match, that the received identifier matches anidentifier shown by the invalidated-terminal information.

According to this structure, it is possible to express all terminal IDshaving a common value for only an arbitrary number of bits from a mostsignificant bit in the terminal IDs, by value information andsignificant digit information that shows the arbitrary number of bits.Generally, in the management of terminal IDs, information distinguishinga collection of identifiers or the like of manufacturers thatmanufacture terminals, or common qualities in terms of structure,function and the like of terminals, is often positioned in the highorder bits of a terminal ID. In this way, it is possible to structurethe invalidated-terminal information by data of a comparatively smallvolume, when there are a large number of terminals to be invalidated inrelation to a specific manufacturer, product structure, or the like.

Furthermore, the management device may have an identifier acquisitionunit operable to acquire the identifiers of all terminals to beinvalidated, and the invalidated-terminal information generation unitmay (i) specify one or more X values satisfying a condition that, out ofthe identifiers acquired by the identifier acquisition unit, the numberof identifiers which have matching X number of bits from a mostsignificant bit is 2^((N-X)), and (ii) generate the invalidated-terminalinformation using a data format that generically expresses, for each Xvalue, the 2^((N-X)) identifiers by significant-digit informationshowing the X number of bit digits, and by value information showing avalue of a bit string of X bits from the most significant bit in the2^((N-X)) identifiers, where N is the predetermined number of bits.

According to this structure, it is possible to constructinvalidated-terminal information that suppresses data volume, withoutplacing an unnecessary operational burden on an operator or the like ofa management device.

Furthermore, each terminal may be manufactured by one of a plurality ofmanufacturers, and an identifier identifying the terminal may show themanufacturer of the terminal by a bit string having a predeterminednumber of bits from a most significant bit in the identifier.

According to this structure, it is possible to express, by sets oflow-volume information, all terminal IDs having a constant number ofbits from a most significant bit that are common, and informationshowing a manufacturer is included in the high order bits of theterminal IDs. Thus, it is possible to effectively suppress the datavolume of the invalidated-terminal information, when ascertained that astructural problem (e.g. user is able to freely duplicate content byexecuting a certain procedure) exists with a terminal from a specificmanufacturer.

Furthermore, the identifier identifying the terminal may show a producttype to which the terminal belongs, by a bit string having apredetermined number of bits that starts from an end of the bit stringshowing the manufacturer.

According to this structure, when ascertained that a problem exist onlywith a certain product manufactured by a specific manufacturer, it ispossible to suppress the data volume of the requiredinvalidated-terminal information, since all terminals in which theproduct is mounted are determined as invalidated terminals.

Furthermore, each terminal may hold a decryption key unique to theterminal, and may be further operable to internally store encryptedcontent, which is content encrypted by a content key, the output unitmay conduct the output by transmitting the invalidated-terminalinformation to the encryption communications device, the encryptioncommunications device may have an encryption key storage unit operableto store encryption keys that correlate one-to-one with the decryptionkeys of all of the terminals, and a content key storage unit operable tostore the content key, the invalidated-terminal information acquisitionunit may conduct the acquisition by receiving the invalidated-terminalinformation transmitted by the output unit, the communication unit, whenjudged by the judging unit that the received identifier does not matchany of the identifiers shown by the invalidated-terminal information,may encrypt the content key using an encryption key that correlates withthe decryption key unique to the terminal which transmitted theidentifier, and transmit the encrypted content key to the terminal, andeach terminal may have a decrypting unit operable to decrypt theencrypted content key transmitted from the encryption communicationsdevice, using the decryption key unique to the terminal, and a playbackunit operable, when the encrypted content is stored in the terminal, todecrypt the encrypted content using the decrypted content key, and toplayback the decrypted content.

According to this structure, when a system is realized in whichconsideration is given to copyright protection and the like, byrestricting playback of content to when a terminal acquires an encryptedcontent key from an encryption communications device, it is possible, ifascertained that copyright protection is no longer possible for a groupof terminals from a certain manufacturer, to suppress the volume of datathat has to be sent from a management device to the encryptioncommunications device, and to shorten the transmission time of the data,since information for identifying the group of terminals to beinvalidated can be constituted by low-volume data consisting of a numberof bit digits showing a section of a terminal ID from a most significantbit to a part indicating a manufacturer ID, and the manufacturer ID.

Furthermore, the invalidated-terminal information (i) may include one ormore pieces of generic and exception information, each piece of genericinformation specifying both a section in a bit string having thepredetermined number of bits and a value of the section, and each pieceof exception information having the predetermined number of bits, and(ii) may be information specifying, as a terminal to be invalidated, allterminals identified by identifiers in which a section specified by apiece of generic information matches a value specified by the piece ofgeneric information, and which do not match a piece of exceptioninformation, and the judging unit may (i) verify whether a section, inthe received identifier, specified by a piece of generic informationmatches a value specified by the piece of generic information, and (ii)judge, when verified that there is a match, that the received identifiermatches an identifier shown by the invalidated-terminal information,except when the received identifier matches a piece of exceptioninformation.

According to this structure, by employing exception information, it issometimes possible to specify the terminal IDs of all invalidatedterminals by a lower data volume, than when specifying terminal IDs ofinvalidated terminals using only generic information. Consider anexample in which there are 15 invalidated terminals, and the terminalIDs of these terminals all have common bit string values except for thelow order 4 bits. Hypothetically it would be possible to constructinvalidated-terminal information specifying the terminal IDs of these 15invalidated terminals by using (i) one piece of generic information toexpress the terminal IDs of the eight terminals having common bit stringvalues except for the low order 3 bits, (ii) another piece of genericinformation to express the terminal IDs of the four terminals havingcommon bit string values except for the low order 2 bits, (iii) anotherpiece of generic information to express the terminal IDs of the twoterminals having common bit string values except for the leastsignificant bit, and (iv) a value of the terminal ID of the remainingterminal to express the terminal ID of that terminal. In comparison,according to the present invention, it is possible to constructinvalidated-terminal information having the same significance, by usingone piece of generic information to express the terminal IDs of 16terminals having common bit strings except for the low order 4 bits, andexception information to express the terminal ID of the one terminal outof the 16 terminal that is not invalidated, and thus suppress the datavolume of the invalidated-terminal information.

Furthermore, the management device may have an identifier acquisitionunit operable to acquire the identifiers of all terminals to beinvalidated, and the invalidated-terminal information generation unitmay (i) determine, as the exception information, an N-bit bit string,obtained by inverting only a least significant bit of one of theidentifiers acquired by the identifier acquisition unit, satisfying afirst condition that the bit string not match any of the identifiersacquired by the identifier acquisition unit, (ii) provisionallydesignate the determined bit string as an identifier, (iii) specify oneor more X values satisfying a second condition that, out of theidentifiers acquired by the identifier acquisition unit and theprovisionally designated identifier, the number of identifiers whichhave matching X number of bits from a most significant bit is 2^((N-X)),and (iv) generate the invalidated-terminal information by determining,as the generic information for each specified X value, informationspecifying the X value and a value of a bit string of X bits from themost significant bit in the 2^((N-X)) identifiers, where N is thepredetermined number of bits and X is less than N.

According to this structure, it is possible to constructinvalidated-terminal information whose data volume is suppressed under aconstant condition, without placing an unnecessarily operational burdenon the operator or the like of a management device.

Furthermore, each terminal may hold a unique decryption key, theencryption communications device may have an encryption key storage unitoperable to store encryption keys that correlate one-to-one with thedecryption keys of all of the terminals, the communication unit, whenjudged by the judging unit that the received identifier does not matchany of the identifiers shown by the invalidated-terminal information,may encrypt communication data using an encryption key that correlateswith the decryption key unique to the terminal which transmitted theidentifier, and transmit the encrypted communication data to theterminal, and the terminal may decrypt the encrypted communication datatransmitted from the encryption communications device, using thedecryption key unique to the terminal.

According to this structure, in a system that includes an encryptioncommunications device for conducting a service in which communicationsdata is only sent to legitimate terminals, it is possible to suppressthe data volume of invalidated-terminal information required in judgingwhether or not a terminal is legitimate, even when there are a largenumber of terminals to be invalidated. As a result, it is possible toplan for a speeding up of the judgment and the like.

Furthermore, the output unit may conduct the output by transmitting theinvalidated-terminal information to the encryption communicationsdevice, and the invalidated-terminal information acquisition unit mayconduct the acquisition by receiving the invalidated-terminalinformation transmitted by the output unit.

According to this structure, a management device constructsinvalidated-terminal information required by an encryptioncommunications device while suppressing data volume, and thus it ispossible to transmit the invalidated-terminal information quickly to theencryption communications device.

Furthermore, the output unit may have a mounting subunit operable tomount a storage medium, and may conduct the output by storing theinvalidated-terminal information on the mounted storage medium, and theinvalidated-terminal information acquisition unit may be operable tomount the storage medium, and may conduct the acquisition by reading theinvalidated-terminal information from the mounted storage medium.

According to this structure, it is possible to use a conventionalstorage medium having a reasonably small acceptable storage capacity,when a management device stores invalidated-terminal informationrequired by an encryption communications device on a storage medium andtransfers the storage medium.

A management device provided to achieve the object generatesinvalidated-terminal information showing, out of a plurality ofidentifiers identifying a plurality of terminals, the identifiers of oneor more terminals to be invalidated, each identifier being a bit stringhaving a predetermined number of bits for identifying a different one ofthe terminals, and includes an invalidated-terminal informationgeneration unit operable to generate the invalidated-terminalinformation using a data format that generically expresses, byinformation specifying a value of a section in a bit string having thepredetermined number of bits, all identifiers in which a value of thesection matches the specified value; and an output unit operable tooutput the generated invalidated-terminal information.

As a result of this management device, the invalidated-terminalinformation to be outputted is able to specify a large number ofinvalidated terminals by a relatively small data volume, and as a resultthe invalidated-terminal information to be outputted is readily usablein terms of transmission and storage onto a storage medium.

Furthermore, the invalidated-terminal information (i) may include one ormore sets of corresponded value and position information, each piece ofvalue information showing a value of a section of a bit string havingthe predetermined number of bits, and a corresponding piece of positioninformation being for specifying a bit position of the section in thebit string, and (ii) may be information specifying, as a terminal to beinvalidated, all terminals identified respectively by all identifiers inwhich a value of a partial bit string located in a bit positionspecified by a piece of position information matches a value shown by apiece of value information corresponding to the piece of positioninformation.

According to this structure, all terminal IDs having a common value ofan arbitrary bit string range can be expressed by information formedfrom value/position sets, without having to fixedly determine a positionof a section by operation rules or the like, since theinvalidated-terminal information is in a format in which a value of asection of a terminal ID and a position of the section are corresponded,and as a result it is possible, if operated effectively, to express alarge number of invalidated terminals by a low information volume.

Furthermore, each terminal may be manufactured by one of a plurality ofmanufacturers, and an identifier identifying the terminal may show themanufacturer of the terminal by a bit string having a predeterminedrange in the identifier.

According to this structure, it is possible to effectively suppress thedata volume of invalidated-terminal information, in cases such as whenit is ascertained that a structural flaw exists in terminalsmanufactured by a specific manufacturer.

An encryption communications device provided to achieve the above objectis for conducting communications with a plurality of terminals, each ofwhich holds an identifier, which is a bit string having a predeterminednumber of bits for identifying the terminal, and includes aninvalidated-terminal information acquisition unit operable to acquire,from an external source, invalidated-terminal information that shows theidentifiers of one or more terminals as information for specifying oneor more terminals to be invalidated, the invalidated-terminalinformation being structured using a data format that genericallyexpresses, by information specifying a value of a section in a bitstring having the predetermined number of bits, all identifiers in whicha value of the section matches the specified value; an identifierreceiving unit operable, when an identifier held by a terminal istransmitted from the terminal, to receive the identifier; a judging unitoperable to judge whether the received identifier matches any of the oneor more identifiers shown by the invalidated-terminal information asinformation specifying one or more terminals to be invalidated; and acommunication unit operable (i) when judged to not be any matches, toconduct a predetermined communication with the terminal that transmittedthe identifier, by performing an encryption unique to the terminal, and(ii) when judged to be a match, to not conduct the predeterminedcommunication with the terminal.

According to this structure, it is possible to quickly judge whether aterminal ID received from a terminal is the terminal ID of aninvalidated terminal, by obtaining and referring to invalidated-terminalinformation specifying a large number of invalidated terminals using arelatively low data volume.

Furthermore, the invalidated-terminal information (i) may include one ormore sets of corresponded value and position information, each piece ofvalue information showing a value of a section of a bit string havingthe predetermined number of bits, and a corresponding piece of positioninformation being for specifying a bit position of the section in thebit string, and (ii) may be information specifying, as a terminal to beinvalidated, all terminals identified respectively by all identifiers inwhich a value of a partial bit string located in a bit positionspecified by a piece of position information matches a value shown by apiece of value information corresponding to the piece of positioninformation, and the judging unit may (i) verify, for each piece ofposition information, whether a value, in the received identifier, of apartial bit string located in a bit position specified by the piece ofposition information matches a value shown by a piece of valueinformation corresponding to the piece of position information, and (ii)judge, when verified that there is at least one match, that the receivedidentifier matches an identifier shown by the invalidated-terminalinformation.

According to this structure, all terminal IDs having a common value ofan arbitrary bit string range can be expressed by information formedfrom value/position sets, without having to fixedly determine a positionof a section by operation rules or the like, since theinvalidated-terminal information is in a format in which a value of asection of a terminal ID and a position of the section are corresponded,and as a result it is possible, if operated effectively, to express alarge number of invalidated terminals by a low information volume.

An information generation method provided to achieve the above objectgenerates invalidated-terminal information for specifying one or moreterminals to be invalidated out of a plurality of terminals, andincludes an identifier acquisition step of acquiring identifiers ofterminals to be invalidated, each identifier being a bit string having apredetermined number of bits for identifying a different one of theterminals; and an invalidated-terminal information generation step ofgenerating the invalidated-terminal information to show all of theidentifiers acquired in the identifier acquisition step, using a dataformat that generically expresses, by information specifying a value ofa section in a bit string having the predetermined number of bits, allidentifiers in which a value of the section matches the specified value.

According to this structure, it is possible to construct information forspecifying a large number of invalidated terminals while suppressingdata volume.

A computer-readable storage medium provided to achieve the above objectstores invalidated-terminal data, and in order to specify, out of aplurality of identifiers that are bit strings having a predeterminednumber of bits for identifying a different one of a plurality ofterminals, the identifiers of one or more terminals to be invalidated,the invalidated-terminal data (i) has an identifier-specifying fieldthat stores section information for specifying a value of a section of abit string having the predetermined number of bits, and (ii) genericallyexpresses, by the section information, all identifiers in which a valueof the section matches the specified value.

In order to specify, out of a plurality of identifiers that are bitstrings having a predetermined number of bits for identifying adifferent one of a plurality of terminals, the identifiers of one ormore terminals to be invalidated, invalidated-terminal data provided toachieve the above object (i) has an identifier-specifying field thatstores section information for specifying a value of a section of a bitstring having the predetermined number of bits, and (ii) genericallyexpresses, by the section information, all identifiers in which a valueof the section matches the specified value.

According to these structures, all terminal IDs that include a certainbit string are expressed generically by information specifying a valueand a position of a common bit string included therein, and thus it ispossible to comparatively suppress the data volume ofinvalidated-terminal data.

An encryption communications system provided to achieve the above objectincludes an encryption communications device, a plurality of terminalsthat each transmit to the encryption communications device a keyidentifier having a predetermined number of bits, and a managementdevice that generates invalidated-identifier information specifying oneor more key identifiers to be invalidated. The management device has aninvalidated-identifier information generation unit operable to generatethe invalidated-identifier information using a data format thatgenerically expresses, by information specifying a value of a section ina bit string having the predetermined number of bits, all identifiers inwhich a value of the section matches the specified value; and an outputunit operable to output the generated invalidated-identifierinformation. The encryption communications device has an acquisitionunit operable to acquire the invalidated-identifier informationoutputted by the management device; an identifier receiving unitoperable to receive a key identifier transmitted from one of theplurality of terminals; a judging unit operable to judge whether thereceived key identifier matches any of the one or more key identifiersspecified by the invalidated-identifier information; and a communicationunit operable, only when judged to not be any matches, to conduct apredetermined communication with the terminal that transmitted the keyidentifier, by performing an encryption relating uniquely to the keyidentifier.

According to this structure, the volume of data required inauthenticating the legitimacy of a key identifier can be suppressed, andthus it is possible to enhance the practicability of a system thatconducts a service such as performing a predetermined communicationinvolving, for example, the transmission of specific valuable data onlyto terminals that send a legitimate key identifier.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a structural diagram of a content key distribution systemaccording to an embodiment 1 of the present invention;

FIG. 2 shows terminal IDs and decryption keys stored by terminals;

FIG. 3 is a conceptual diagram showing a method for determining a valueof terminal IDs held by terminals;

FIG. 4 shows exemplary content of data stored in an encryption keystorage unit 124 of a content key distribution device 120;

FIG. 5 is a flowchart showing TRL generation/transmission processingconducted by a management device 110;

FIG. 6 is a flowchart showing content playback processing conducted by acontent playback device 130;

FIG. 7 is a flowchart showing content key distribution processingconducted by content key distribution device 120;

FIG. 8 shows a data structure of a TRL in embodiment 1;

FIG. 9 shows exemplary content of a TRL;

FIG. 10 is a flowchart showing TRL data generation processing, which isa part of the TRL generation/transmission processing conducted bymanagement device 110 in embodiment 1;

FIG. 10 is a flowchart showing TRL data generation processing, which isa part of the TRL generation/transmission processing conducted bymanagement device 110 in embodiment 1;

FIG. 11 is a flowchart showing TRL collation processing, which is a partof the content key transmission processing conducted by content keydistribution device 120 in embodiment 1;

FIG. 12 shows a data structure of a terminal ID in an embodiment 2;

FIG. 13 shows a data structure of a TRL in embodiment 2;

FIG. 14 is a flowchart showing TRL data generation processing, which isa part of TRL generation/transmission processing conducted by managementdevice 110 in embodiment 2;

FIG. 15 shows exemplary content of a TRL;

FIG. 16 is a flowchart showing TRL collation processing, which is a partof content key transmission processing conducted by content keydistribution device 120 in embodiment 2;

FIG. 17 shows a data structure of a TRL in an embodiment 3;

FIG. 18 is a flowchart showing TRL data generation processing, which isa part of TRL generation/transmission processing conducted by managementdevice 110 in embodiment 3;

FIG. 19 is a flowchart showing TRL collation processing, which is a partof content key transmission processing conducted by content keydistribution device 120 in embodiment 3; and

FIG. 20 is a structural diagram of a content key distribution systemaccording to an embodiment 4 of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

The following describes, with reference to the drawings, a content keydistribution system, which is an embodiment of the present inventionapplied as a system that takes into consideration copyright protectionand the like of content.

Embodiment 1

System Structure

FIG. 1 is a structural diagram of a content key distribution systemaccording to an embodiment 1 of the present invention.

Content key distribution system 100 is structured to include a pluralityof content playback devices 130 for playing back content, a content keydistribution device 120 for distributing encrypted content keys inresponse to requests from the content playback devices, and a managementdevice 110 for sending, to content key distribution device 120, aterminal revocation list (TRL), which is information used for judgingwhether distribution of an encrypted content key is permissible. Here,either one or a plurality of content key distribution devices 120 isprovided in the content key distribution system.

Here, content playback devices 130 a, 130 b and the like are, forexample, each disposed in a different household, and function to acquireencrypted content via a communication channel, storage media or thelike, and to decode and playback the acquired content using a contentkey.

In a system in which consideration is given to copyright protection, itis assumed that content will be encrypted and then targeted forcirculation. For this reason, if a content playback device does notobtain a content key by decrypting an encrypted content key receivingfrom content key distribution device 120, an encrypted content cannot bedecrypted and played back. Content playback devices 130 (hereafter“terminals”) each includes a CPU, a hard disk, a mechanism forcommunicating with an external unit, and the like, and conduct contentplayback processing for playing back movies and other content forviewing, listening to or the like by a user, via a display device, aspeaker or the like. Functionally, each terminal has a terminal IDstorage unit 131, a decryption key storage unit 132, a encrypted contentstorage unit 133, a request transmitting unit 134, an encrypted contentkey receiving unit 135, a decryption unit 136, and a playback unit 137.

Terminal ID storage unit 131 is a storage area in a ROM (read onlymemory) or the like, and stores terminal IDs that are for identifyingthe various terminals. If, for example, 16 terminals are used in contentkey distribution system 100, the terminal IDs will be structured by bitstrings of four or more bits that allow identification of the 16terminals, and if, for example, there are 50 terminals, the terminal IDswill be bit strings in excess of 32 bits. For ease of understanding,embodiment 1 will be described mainly in relation to there been 16terminals and 4-bit terminal IDs.

Decryption key storage unit 132 is a storage area in a ROM or the likethat stores a decryption key used for decrypting an encrypted contentkey. The decryption key is a secret key having a value that is uniquefor each terminal, and is structured, for example, by 128 bits.

Encrypted content storage unit 133 is a storage area on a storage mediumsuch as a hard disk, and stores encrypted content. The terminals eachfunction to acquire (by receiving transmission, etc.) encrypted contentfrom an external source, and to store the encrypted content in unit 133.

Request transmitting unit 134 functions to send transmission requestinformation that includes a terminal ID stored in terminal ID storageunit 131 to content key distribution device 120, via a communicationchannel 101 (i.e. public network, etc.).

Encrypted content key receiving unit 135 functions, when an encryptedcontent key is sent from content key distribution device 120, to receivethe encrypted content key.

Decryption unit 136 functions, when an encrypted content key is receivedby encrypted content key receiving unit 135, to decrypt the encryptedcontent key using a decryption key stored in decryption key storage unit132, and to send a content key obtained as a result of the decryption toplayback unit 137.

Playback unit 137 functions to decrypt encrypted content stored inencrypted content storage unit 133 using a content key sent fromdecryption unit 136, and to playback the decrypted content. A user isable to view, listen to or the like content played back by playback unit137.

Some of the functions conducted by request transmitting unit 134,decryption unit 136 and playback unit 137 are realized by a controlprogram stored in a memory being executed by a CPU.

Management device 110 is, for example, a computer or the like installedin an organization that conducts operations relating to the protectionof the copyright and the like of content. Management device 110 conductsTRL generation/transmission processing for generating a TRL that has asmain content, information for specifying all terminals with respect towhich protection of copyright and the like can no longer be guaranteeddue to a decryption key stored therein having been disclosed (i.e. allterminals to which an encrypted content key should not be distributed),and for transmitting the generated TRL to content key distributiondevice 120. Hereafter, terminals to which an encrypted content keyshould not be distributed are referred to as “invalidated terminals”.

Management device 110, as shown in FIG. 1, includes aninvalidated-terminal ID acquisition unit 111, a TRL generation unit 112,and a TRL transmitting unit 113.

Here, invalidated-terminal ID acquisition unit 111 functions to acquireinformation specifying terminal IDs related to all invalidatedterminals, and to provide the acquired terminal IDs to TRL generationunit 112.

TRL generation unit 112 functions to generate a TRL whose main contentis information specifying invalidated terminals, based on the terminalIDs provided by invalidated-terminal ID acquisition unit 111, and tosend the generated TRL to TRL transmitting unit 113. The generation of aTRL is described in detail in a later section.

TRL transmitting unit 113 functions to transmit a TRL sent from TRLgeneration unit 112 to content key distribution device 120 via acommunication channel.

The procedures involved in the TRL generation/transmission processingconducted by management device 110 are described in a later section.

It is assumed that, for example, periodically or when there is a changein invalidated terminal information to be included in a TRL, managementdevice 110 operates to transmit a TRL to content key distribution device120.

Content key distribution device 120 is a computer that conducts contentkey distribution processing, which involves transmitting, when aterminal from which a content key transmission request is received isnot an invalidated terminal, an encrypted content key to the terminal.Functionally, device 120 includes a TRL storage unit 121, a TRLreceiving unit 122, a content key storage unit 123, an encryption keystorage unit 124, a transmission request reception unit 125, a collationunit 126, an encryption unit 127, and an encrypted content keytransmitting unit 128.

Here, TRL storage unit 121 is an area on a storage medium such as a harddisk, and stores a TRL.

TRL receiving unit 122 functions to receive a TRL transmitted frommanagement device 110, and to store the received TRL in TRL storage unit121.

Content key storage unit 123 is a storage area in a memory or the like,and stores a content key.

Encryption key storage unit 124 is an area on a hard disk or the like,and stores in advance for each terminal, a terminal ID of the terminaland an encryption key that correlates with a decryption key of theterminal, so that the terminal ID and the encryption key correspond.

Transmission request reception unit 125 functions to receive atransmission request sent from a terminal via a public network, andconvey the terminal ID included in the transmission request to collationunit 126.

Collation unit 126 functions to judge whether the terminal from which atransmission request originated is an invalidated terminal, by collatingwhether there is a match with any of the invalidated terminals specifiedby a TRL, to convey an instruction to encrypted content key transmittingunit 128 showing that an error message should be returned to thetransmission source when judged to be an invalidated terminal, and toconvey to encryption unit 127 a terminal ID conveyed from transmissionrequest reception unit 125 when judged not to be an invalidatedterminal.

Encryption unit 127 functions, when a terminal ID is conveyed fromcollation unit 126, to generate an encrypted content key, by using anencryption key corresponded to the terminal ID in encryption key storageunit 124 to encrypt a content key stored in content key storage unit123, and to send the encrypted content key to encrypted content keytransmitting unit 128.

Encrypted content key transmitting unit 128 functions to transmit anerror message to a terminal that issued a transmission request when aninstruction showing to return an error message is conveyed fromcollation unit 126, and to transmit an encrypted content key to aterminal that issued a transmission request when an encrypted contentkey is conveyed from encryption unit 127.

Terminal IDs, Decryption Keys and Encryption Keys

FIG. 2 shows terminal IDs and decryption keys stored by the terminals.

Content key distribution system 100 includes 16 terminals, and when theterminal IDs are each 4 bits, as shown in FIG. 2, a terminal 0, forexample, holds a terminal ID “0000” and a decryption key “DK₀”, aterminal 1 holds a terminal ID “0001” and a decryption key “DK₁”, and aterminal 15 holds a terminal ID “1111” and a decryption key “DK₁₅”.Decryption keys DK₀, DK₁, . . . , DK₁₅ are all bit strings whoseindividual values do not match. The terminals protect the decryptionkeys in a secret state using tamper-resistant technology and the like.

FIG. 3 is a conceptual diagram showing a method for determining a valueof terminal IDs held by terminals.

The allotment of terminal IDs to terminals manufactured by variousmanufacturers is determined, for example, by an organization forconducting operations relating to the protection of copyright and thelike, and when the terminals are manufactured, the manufacturers, inaccordance with the allotment, configure, in each terminal, a ROM or thelike storing the terminal ID allotted to the terminal.

Given that the circles in FIG. 3 are “nodes”, and the lines connectingthe nodes are “paths”, a binary tree structure is determined in FIG. 3such that the 16 terminals are corresponded one-to-one with nodes 12 onthe lower-most layer, and either a 0-value or a 1-value is consigned toeach of the two paths from one node to nodes on a lower layer.

The terminal ID of each terminal is expressed by a bit string obtainedby joining together, from higher to lower layers, the 0 or 1 valuesconsigned to all of the paths connecting a node 11 on the upper-mostlayer to a node 12 on the lower-most layer corresponding to theterminal. Consequently, the terminal IDs relating to the terminals aredetermined as shown in FIG. 2.

FIG. 4 shows exemplary content of data stored in encryption key storageunit 124 of content key distribution device 120.

In encryption key storage unit 124 are stored, as shown in FIG. 4,corresponded terminal IDs and encryption keys for all of the terminals.

For example, encryption key EK₀ is corresponded to terminal ID 0000,encryption key EK₀ being a key that correlates with decryption key DK₀held in terminal 0. Consequently, data encrypted using encryption keyEK₀ can be decrypted using decryption key DK₀.

Encryption key EK_(i) and correlated decryption key DK_(i) form a pair,and are matched when using a secret key encryption system in anencryption algorithm for encrypting a content key, and are not matchedwhen using a public key encryption system.

System Operations

The following is a summary of the system operations of content keydistribution system 100.

Operations of Management Device

FIG. 5 is a flowchart showing TRL generation/transmission processingconducted by management device 110.

TRL generation unit 112 in management device 110 acquires terminal IDsrelating to invalidated terminals from invalidated-terminal IDacquisition unit 111 (step S21), and conducts TRL data generationprocessing that involves calculating a content of an information part(hereafter “ID-related information”) of a TRL for specifying invalidatedterminals (step S22). The TRL data generation processing is described indetail in a later section.

After the TRL data generation processing, TRL generation unit 112constructs a TRL that includes the generated ID-related information(step S23), conveys the generated TRL to TRL transmitting unit 113, andTRL transmitting unit 113, having received the TRL, transmits thereceived TRL to content key distribution device 120 via a communicationchannel (step S24).

Operations of Con tent Playback Device

FIG. 6 is a flowchart showing content playback processing conducted bycontent playback device 130.

Content playback device 130 (terminal) conducts content playbackprocessing on receipt, for example, of a user operation instructingcontent playback.

First, request transmitting unit 134 in a terminal requests thetransmission of an encrypted content key, by transmitting, via acommunication channel, a transmission request constituted by data thatincludes a terminal ID unique to the terminal and stored in terminal IDstorage unit 131 (step S31). In response to the request, either anencrypted content key or an error message is sent from content keydistribution device 120.

After the transmission request, encrypted content key receiving unit 135judges whether reception of the encrypted content key was successful(step S32), and conveys the encrypted content key to decryption unit 136only when the encrypted content key is received normally. On receipt ofthe encrypted content key, decryption unit 136 decrypts the encryptedcontent key using a decryption key held in decryption key storage unit132, and conveys a content key obtained as a result of the decryption toplayback unit 137 (step S33).

When a content key is conveyed, playback unit 137 decrypts encryptedcontent stored in encrypted content storage unit 133 using the contentkey, and plays back the content as it is being decrypted (step S34). Asa result of this playback, video, audio and the like is, for example,outputted via a display device, a speaker and the like, thus allowing auser to view/listen to the content.

Operations of Content Key Distribution Device

FIG. 7 is a flowchart showing content key distribution processingconducted by content key distribution device 120.

Content key distribution device 120 receives, via receiving unit 122,and stores a TRL in storage unit 121 at least once before conducting thecontent key distribution processing, and conducts the content keydistribution processing whenever a transmission request is sent from oneof content playback devices 130.

When a transmission request is sent from one of content playback devices130 (terminal), transmission request reception unit 125 receives thetransmission request and conveys a terminal ID included in the receivedtransmission request to collation unit 126 (step S41).

When a terminal ID is conveyed, collation unit 126 conducts TRLcollation processing that involves referring to a TRL and judgingwhether the terminal ID is the terminal ID of an invalidated terminal(step S42). The TRL collation processing is described in detail in alater section.

When, as a result of the TRL collation processing, a terminal IDrelating to the transmission request is judged to be the terminal ID ofan invalidated terminal (step S43=YES), collation unit 126 conveys toencrypted content key transmitting unit 128 an instruction showing thatan error message should be returned to the transmission source of thetransmission request, and in response, unit 128 conducts errorprocessing that involves an error message being transmitted to theterminal (step S47), and ends the content key distribution processing.

If in step S43, it is judged, as a result of the TRL collationprocessing, that a terminal ID relating to the transmission request isnot the terminal ID of an invalidated terminal (step S43=NO), collationunit 126 conveys the terminal ID relating to the transmission request toencryption unit 127, and on receipt of the terminal ID, encryption unit127 extracts an encryption key corresponding to the terminal ID fromencryption key storage unit 124, uses the extracted encryption key toencrypt a content key stored in content key storage unit 123, thusgenerating an encrypted content key, and conveys the encrypted contentkey to encrypted content key transmitting unit 128 (step S45).

When an encrypted content key is conveyed, encrypted content keytransmitting unit 128 transmits the encrypted content key to theterminal that issued the transmission request (step S46), and ends thecontent key distribution processing.

TRL Structure

FIG. 8 shows a data structure of a TRL in embodiment 1.

Although the bit size example given in FIG. 8 assumes that there are 16terminals, exemplary bit sizes corresponding to when there are severaltimes as many terminals are show in parenthesis for reference purposesas a further practical example. The following description refers to thebit size example for 16 terminals.

As shown in FIG. 8, a TRL is structured from 8-bit version information210, ID-related information 220, and 64-bit signature information 230.

Version information 210 is information showing a version number of aTRL, and the version number changes, for example, every time a TRL withdifferent content is newly generated.

ID-related information 220 is structured from group information 221 anddiscrete information 225.

Group information 221 includes one or a plurality of ID 223/mask data224 sets, and an entry number 222 showing the number of sets. If thenumber of sets is given as M, a value shown by entry number 222 will beM.

Here, mask data 224 is data in which X number of high order bits in the4-bit bit string structuring mask data 224 have a value of “1”, and anyremaining low order bits have a value of “0”, X thus being expressed bythis mask data.

ID 223 forming a set with mask data 224 that expresses X, is data inwhich only a content of X number of bits from the most significant bit(“MSB”) in the 4-bit bit string structuring ID 223 is useful, theremaining bits having a value of “0”, for example.

All terminal IDs in which the high order X bits expressed by mask data224 match a value of ID 223 (i.e. the terminal IDs of 2^((4-X)) numberof invalidated terminals) are shown by the sets of ID 223/mask data 224.

Consequently, group information 221 is formed from one or a plurality ofsets that expresses the terminal IDs of a plurality of invalidatedterminals generically.

Discrete information 225 includes one or a plurality of IDs 227, andincludes an entry number 226 that shows the number of IDs 227. If thenumber of IDs is given as N, a value shown by entry number 226 will beN.

IDs 227 each show a terminal ID of an invalidated terminal.Consequently, discrete information 225 is formed from one or a pluralityof pieces of information that expresses the terminal IDs of invalidatedterminals discretely.

Signature information 230 is a so-called digital signature generated toreflect the entirety of version information 210 and ID-relatedinformation 220.

FIG. 9 shows exemplary content of a TRL.

In FIG. 9 is illustrated a TRL that includes (i) as group information, aset consisting of an ID 223 having a bit string “1100” and mask data 224having a bit string “1100”, and a further set consisting of an ID 223having a bit string “0110” and mask data 224 having a bit string “1110”,and (ii) as discrete information, an ID 227 having a bit string “0001”.

The terminal IDs of four invalidated terminals (i.e. 1100, 1101, 1110,1111) are expressed by the set formed by the “1100” mask data and the“1100” ID, and the terminal IDs of two invalidated terminals (i.e. 0110,0111) is expressed by the set formed by the “1110” mask data and the“0110” ID.

Consequently, the TRL in FIG. 9 shows the terminal IDs of a total ofseven invalidated terminal; six terminals by group information, and oneterminal by discrete information.

TRL Data Generation Processing

FIG. 10 is a flowchart showing TRL data generation processing, which isa part of the TRL generation/transmission processing conducted bymanagement device 110 in embodiment 1.

TRL generation unit 112 in management device 110 conducts TRL datageneration processing after acquiring terminal IDs related toinvalidated terminals from invalidated-terminal ID acquisition unit 111(see FIG. 5).

First, TRL generation unit 112 stores the acquired terminal IDs in a IDworking area which is an area on a storage medium such as a memory orthe like (step S201), stores two pieces of 1-bit bit data “0” and “1” ina bit working area which is an area on a storage medium such as a memoryor the like (step S202), and sets “1” in variable X (step S203).

Next, TRL generation unit 112 focuses on a piece of X-bit bit data inthe bit working area that has not been focused on (step S204), andcounts the number of terminal IDs stored in the ID working area thatsatisfy a condition that the high order X bits match the bit datacurrently being focused on (step S205).

When the counted number in step S205 is 2^((4-X)) (step S206), TRLgeneration unit 112 deletes the terminal IDs satisfying the condition instep S205 (step S207), and with respect to the terminal IDs satisfyingthe condition, determines a 4-bit bit string having the high order Xbits set to “1” and the remaining bits set to “0” as mask data, anddetermines a 4-bit bit string having the high order X bits set to be thesame as the bit data currently being focused on and the remaining bitsset to “0” as an ID, corresponds and retains the determined mask dataand ID in an area of a storage medium (e.g. memory, etc.) as groupinformation (step S208), and conducts the step S209 judgment.

When the counted number in step S205 is 0 or 1 (step S206), TRLgeneration unit 112 skips steps S207 and S208, and conducts the stepS209 judgment.

In the case that the counted number in step S205 is not any of2^((4-X)), 0 or 1 (step S206), if two or more of the terminal IDssatisfying the condition in step S205 have an X+1^(th) bit from the MSBthat is “0”, TRL generation unit 112 stores, in the bit working area,bit data formed by adding a 1-bit “0” to the least significant bit(“LSB”) of the bit data being focused on (step S210), and if two or moreof the terminal ID satisfying the condition have an X+1^(th) bit fromthe MSB that is “1”, TRL generation unit 112 stores, in the bit workingarea, bit data formed by adding a 1-bit “1” to the low order of the bitdata being focused on (step S211), and conducts the step S209 judgment.

In step S209, TRL generation unit 112 judges whether there exists apiece of X-bit bit data that has yet to be focused on, and when thereexists a piece of X-bit bit data yet to be focused on (S209=YES), TRLgeneration unit 112 returns to step S204, and conducts processing tofocus on the next piece of bit data, and when there does not exist apiece of X-bit bit data yet to be focused on (S209=NO), TRL generationunit 112 increases variable X by “1” (step S212), and judges whethervariable X equals “4” (step S213).

When variable X does not equal “4” (S213=NO), TRL generation unit 112returns to step S204, and conducts processing to focus on the next pieceof bit data, and when variable X equals “4” (S213=YES), and if thereremain terminal IDs in the ID working area, TRL generation unit 112stores the remaining terminal IDs in an area of a storage medium (e.g.memory, etc.) as IDs in discrete information (step S214), thus endingthe TRL data generation processing.

Here, the TRL construction shown in step S23 of FIG. 5 is executed byadding, in addition to version information and signature information,respective entry numbers to the group information and discreteinformation retained in an area of a storage medium as a result of theabove TRL data generation processing.

Consequently, when the seven terminal IDs “0001”, “0110”, “0111”,“1100”, “1101”, “1110”, and “1111” are acquired frominvalidated-terminal ID acquisition unit 111, a TRL having the contentshown in FIG. 9 is generated as a result of the above procedures. ThisTRL shows, in FIG. 3, a group consisting of adjacent terminals 6 and 7,a group consisting of terminals 12 to 15, and terminal 1 to beinvalidated terminals.

Furthermore, when there is not even one invalidated terminal, the entrynumber in both the group information and the discrete information willbe “0”.

TRL Collation Processing

FIG. 11 is a flowchart showing TRL collation processing, which is a partof the content key transmission processing conducted by content keydistribution device 120 in embodiment 1.

Collation unit 126 in content key distribution device 120 conducts TRLcollation processing every time a terminal ID sent from a terminal isobtained by transmission request reception unit 125.

Collation unit 126 judges whether an ID 227 that matches a terminal IDsent from a terminal exists in discrete information 225 stored in TRLstorage unit 121 (step S221), and if there is a matching ID 227,collation unit 126 judges the terminal ID acquired from the terminal tobe the terminal ID of an invalidated terminal (step S222), and ends theTRL collation processing.

In step S221, when judged that an ID 227 matching the terminal ID sentfrom the terminal is not included in discrete information 225 of theTRL, collation unit 126 checks whether any of the terminal IDs shown byeach set of ID 223 and mask data 224 in the group information of the TRLmatches the terminal ID sent from the terminal (step S223, S224).

More specifically, collation unit 126 computes a bitwise AND (i.e. alogical product operation carried out in a bitwise fashion) of theterminal ID sent from the terminal and mask data 224 (step S223), judgeswhether the computed AND matches an ID 223 forming a set with the maskdata (step S224), and if matched (S224=YES), judges the terminal IDacquired from the terminal to be the terminal ID of an invalidatedterminal (step S222), and ends the TRL collation processing.

If not matched in step S224 (S224=NO), collation unit 126 judges whetherthe step S223 and S224 processing has been conducted for all the sets ofID 223 and mask data 224 in the group information in the TRL (stepS225), and if the processing has not been completed (S225=NO), collationunit 126 again conducts the step S223 and S224 processing.

If judged in step S225 that the processing has been completed for allthe sets (S225=YES), collation unit 126 judges the terminal ID acquiredfrom the terminal to not be the terminal ID of an invalidated terminal(step S226), and ends the TRL collation processing.

The following describes the concrete operations of content keydistribution device 120 with reference to FIGS. 7 and 11, given that thecontent of the TRL stored in TRL storage unit 121 is as shown in FIG. 9,and assuming that a transmission signal which includes a terminal ID“1101” has been sent to content key distribution device 120 fromterminal 13.

Transmission request reception unit 125 in content key distributiondevice 120 acquires and conveys to collation unit 126 a terminal ID“1101” sent from terminal 13 (step S41), collation unit 126 judgeswhether terminal ID “1101” sent from terminal 13 is included in discreteinformation in the TRL (step S221), and since the only ID in thediscrete information is “0001”, collation unit 126 ANDs terminal ID“1101” and mask data “1100” in the group information (step S223).

The AND computed in step S223 is “1100”, and collation unit 126 judgeswhether the derived bit string “1100” and ID “1100” match (step S224),and since there is a match, collation unit 126 judges the terminal IDacquired from the terminal to be the terminal ID of an invalidatedterminal (step S222), and as a result (step S43), conveys to encryptedcontent key transmitting unit 128 that an error message should betransmitted, and having received this instruction, encrypted content keytransmitting unit 128 transmits an error message to terminal 13 (stepS47).

Next, a description will be given of the concrete operations of contentkey distribution device 120, based on the same premise as above, andassuming that a transmission signal which includes a terminal ID “0010”has been sent to content key distribution device 120 from terminal 2.

Transmission request reception unit 125 in content key distributiondevice 120 acquires and conveys to collation unit 126 a terminal ID“0010” sent from terminal 2 (step S41), collation unit 126 judgeswhether terminal ID “0010” sent from terminal 2 is included in discreteinformation in the TRL (step S221), and since the only ID in thediscrete information is “0001”, collation unit 126 ANDs terminal ID“0010” and mask data “1100” in the group information (step S223).

The AND computed in step S223 is “0000”, and collation unit 126 judgeswhether the derived bit string “0000” and ID “1100” match (step S224),and since there is not a match, collation unit 126 ANDs terminal ID“0010” and mask data “1110” in the group information (steps S225, S223).

The AND thus computed is “0010”, and collation unit 126 judges whetherthe derived bit string “0010” and ID “0110” match (step S224), and sincethere is not a match and there are no more pieces of unprocessed maskdata in the group information (step S225), collation unit 126 judgesterminal ID “0010” acquired from the terminal to not be the terminal IDof an invalidated terminal (steps S226, S43), and conveys terminal ID“0010” to encryption unit 127.

On receipt of terminal ID “0010”, encryption unit 127 encrypts a contentkey stored in content key storage unit 123, by extracting and using anencryption key EK₂ corresponding to “0010” from encryption key storageunit 124 (step S45), and conveys the encrypted content key obtained as aresult to encrypted content key transmitting unit 128.

When the encrypted content key is conveyed, encrypted content keytransmitting unit 128 transmits the encrypted content key to terminal 2(step S46). Consequently, terminal 2, having acquired the encryptedcontent key, decrypts the encrypted content key using a decryption keyDK₂ stored internally, and thus obtains a content key.

Embodiment 2

The following description relates to a content key distribution systemaccording to an embodiment 2.

The content key distribution system according to embodiment 2 includesbasically the same system structure as content key distribution system100 shown in embodiment 1, and conducts basically the same systemoperations. Consequently, the various devices are shown using the samereference numbering as in FIG. 1 and the like, and a description ofparts that are the same as embodiment 1 have been omitted.

In embodiment 2, however, a data structure of terminal IDs is special,and a data structure of a TRL differs from that of embodiment 1. Forthis reason, management device 110 conducts TRL data generationprocessing that differs from the TRL data generation processing shown inembodiment 1, and content key distribution device 120 conducts TRLcollation processing that differs from the TRL collation processingshown in embodiment 1.

Terminal IDs

FIG. 12 shows the data structure of a terminal ID in embodiment 2.

In FIG. 12 is shown an exemplary structure in which a terminal ID is setto be 128 bits, so that it can be corresponded to hundreds of millionsof terminal or more in a content key distribution system.

The terminal ID is constituted by a 32-bit manufacturer ID field 301, a32-bit product ID field 302, a 32-bit product version ID field 303, anda 32-bit serial number field 304.

Here, in manufacturer ID field 301 is stored a manufacturer ID that isfor identifying a manufacturer that made a content playback device.

In product ID field 302 is stored a product ID that is for identifyingproducts of the manufacturer determined by the manufacturer ID.

In product version ID field 303 is stored a product version ID thatshows a version number which is updated whenever there is a form changeor the like in relation to a product determined by a product ID.

In serial number field 304 is stored a serial number consigned todiscrete products.

TRL Structure

FIG. 13 shows a data structure of a TRL in embodiment 2.

In FIG. 13 is shown an exemplary data structure of a TRL correspondingto when the number of terminals is in the hundreds of millions or more.

As shown in FIG. 13, the TRL is structured from 8-bit versioninformation 310, 128-bit issuer information 320, a 128-bit invalidatedterminal number 330, ID-related information 340, and 320-bit signatureinformation 350.

Version information 310 is information showing a version number of theTRL, and the version number is changed every time, for example, a TRLhaving different content is newly generated.

Issuer information 320 is information showing an issuance origin of aTRL.

Invalidated terminal number 330 is the number of invalidated terminals.

ID-related information 340 includes one or a plurality of sets of128-bit IDs 342 and 8-bit mask bits 343, and an entry number 341 showingthe number of sets. If the number of sets is given as N, a value shownby entry number 341 will be N.

Here, mask bit 343 takes a value from 1 to 128. Also, if the value ofmask bit 343 is given as X, it is possible to derive mask data having aform that shows the high order X bits in a 128-bit bit string to be “1”and any remaining low order bits to all be “0”.

Furthermore, ID 342 forming a set with mask bit 343 is data in whichonly a content of the number of bit digits, from an MSB in the 128-bitbit string structuring the ID, whose value is shown by mask bit 343, areuseful, and in which other values are, for example, “0”.

All of the terminal IDs whose high order X bits, expressed by value X ofmask bit 343, match a value of ID 342 (i.e. the terminal IDs of2^(128-x) number of invalidated terminals) are shown by the set of ID342 and mask bit 343.

Signature information 350 is a so-called digital signature created toreflect an entirety of version information 310, issuer information 320,invalidated terminal number 330, and ID-related information 340.

TRL Data Generation Processing

FIG. 14 is a flowchart showing TRL data generation processing, which isa part of the TRL generation/transmission processing conducted bymanagement device 110 in embodiment 2.

A terminal ID is described here as being an N-bit. N is, for example,128 bits.

TRL generation unit 112 in management device 110 conducts TRL datageneration processing after acquiring terminal IDs related toinvalidated terminals from invalidated-terminal ID acquisition unit 111(see FIG. 5).

First, TRL generation unit 112 stores the acquired terminal IDs in a IDworking area which is an area on a storage medium such as a memory orthe like (step S301), stores two pieces of 1-bit bit data “0” and “1” ina bit working area which is an area on a storage medium such as a memoryor the like (step S302), and sets “1” in variable X (step S303).

Next, TRL generation unit 112 focuses on a piece of X-bit bit data inthe bit working area that has not been focused on (step S304), andcounts the number of terminal IDs stored in the ID working area thatsatisfy a condition that the high order X bits match the bit datacurrently being focused on (step S305).

When the counted number in step S305 is 2^((N-X)) (step S306), TRLgeneration unit 112 deletes the terminal IDs satisfying the condition instep S305 (step S307), and with respect to the terminal IDs satisfyingthe condition, determines the value of variable X as a mask bit, anddetermines an N-bit bit string having the high order X bits set to bethe same as the bit data currently being focused on and the remainingbits set to “0” as an ID, retains the determined mask bit and ID as aset in an area of a storage medium such as a memory or the like (stepS308), and conducts the step S309 judgment.

When the counted number in step S305 is 0 or 1 (step S306), TRLgeneration unit 112 skips steps S307 and S308, and conducts the stepS309 judgment.

In the case that the counted number in step S305 is not any of2^((N-X)), 0 or 1 (step S306), if two or more of the terminal IDssatisfying the condition in step S305 have an X+1^(th) bit from the MSBthat is “0”, TRL generation unit 112 stores, in the bit working area,bit data formed by adding a 1-bit “0” to the low order of the bit databeing focused on (step S310), and if two or more of the terminal IDsatisfying the condition have an X+1^(th) bit from the MSB that is “1”,TRL generation unit 112 stores, in the bit working area, bit data formedby adding a 1-bit “1” to the low order of the bit data being focused on(step S311), and conducts the step S309 judgment.

In step S309, TRL generation unit 112 judges whether there exists apiece of X-bit bit data that has yet to be focused on, and when thereexists a piece of X-bit bit data yet to be focused on (S309=YES), TRLgeneration unit 112 returns to step S304, and conducts processing tofocus on the next piece of bit data, and when there does not exist apiece of X-bit bit data yet to be focused on (S309=NO), TRL generationunit 112 increases variable X by “1” (step S312), and judges whethervariable X equals N (step S313).

When variable X does not equal N (S313=NO), TRL generation unit 112returns to step S304, and conducts processing to focus on the next pieceof bit data, and when variable X equals N (S313=YES), and if thereremain terminal IDs in the ID working area, TRL generation unit 112,with respect to the remaining terminal IDs, stores sets in which N is amask bit and a remaining terminal ID is an ID, in an area of a storagemedium such as a memory or the like (step S314), thus ending the TRLdata generation processing.

Here, in embodiment 2, the TRL construction shown in step S23 of FIG. 5is executed by adding, in addition to a version, issuer information, aninvalidated-terminal number and signature information, an entry numberto the one or plurality of sets of mask bits and IDs retained in an areaof a storage medium as a result of the above TRL data generationprocessing.

FIG. 15 shows exemplary content of a TRL.

In FIG. 15 is shown exemplary content of a TRL which has the data itemsshown in FIG. 13, and in which terminal IDs are 4-bit bit strings, andmask bits are 2-bit data expressing “1” to “b 4”

The terminal IDs of all invalidated terminals expressed by theID-related information shown as an example in FIG. 15 are the same asthe terminal IDs of all invalidated terminals expressed by theID-related information shown as an example in FIG. 9.

TRL Collation Processing

FIG. 16 is a flowchart showing TRL collation processing, which is a partof the content key transmission processing conducted by content keydistribution device 120 in embodiment 2.

Collation unit 126 in content key distribution device 120 conducts TRLcollation processing every time a terminal ID sent from a terminal isobtained by transmission request reception unit 125.

Collation unit 126 checks whether a terminal ID sent from a terminalmatches a terminal ID shown by one of the sets of IDs and mask bits inID-related information in the TRL (steps S321-324).

More specifically, collation unit 126 focuses on a mask bit in the TRLthat has yet to be focused on, derives mask data corresponding to avalue of the mask bit as described above (step S321), computes a bitwiseAND of the terminal ID sent from the terminal and the derived mask data(step S322), judges whether the computed AND matches an ID 342 in a setwith the mask bit 343 being focused on (step S323), and if matched,judges the terminal ID acquired from the terminal to be the terminal IDof an invalidated terminal (step S326), and ends the collationprocessing.

If not matched in step S323 (S323=NO), collation unit 126 judges whetherall of the mask bits 343 in the TRL have been focused on and had thestep S321 to S323 processing conducted (step S324), and if all of themask bits 343 have not been focused on and had the step S321 to S323processing conducted (S324=NO), collation unit 126 returns to step S321,focuses on a mask bit that has yet to be focused on and conductsprocessing.

If judged in step S324 that the processing has been completed for allthe mask bits (S324=YES), collation unit 126 judges the terminal IDacquired from the terminal to not be the terminal ID of an invalidatedterminal (step S325), and ends the TRL collation processing.

Observations

In the content key distribution system shown in embodiment 2, terminalIDs have a data structure such as that shown in FIG. 12, and thus whenall content playback devices having a specific version of a product madeby a certain manufacturer mounted therein, it is possible for amanagement device to generate a TRL that specifies, using a small datavolume, all content playback devices in which only the serial numberfield of the terminal IDs held within the device differ, and to transmitthe generated TRL to a content key distribution device.

This TRL would include as ID-related information, only a set of (i) maskbit 343 whose value is, for example, set to “96” and (ii) ID 342 that isa bit string specifying a manufacturer, a product and a version, and inwhich the serial number is set to “0”.

Embodiment 3

The following description relates to a content key distribution systemaccording to an embodiment 3.

The content key distribution system according to an embodiment 3includes basically the same system structure as content key distributionsystem 100 shown in embodiment 1, and conducts basically the same systemoperations. Consequently, the various devices are shown using the samereference numbering as in FIG. 1 and the like, and a description ofparts that are the same as embodiment 1 have been omitted.

In embodiment 3, a data structure of terminal IDs is the same structureas that shown in embodiment 2. Also, a data structure of a TRL isdifferent to that shown in embodiment 1, and adds a few extra data itemsto the TRL in embodiment 2. For this reason, management device 110conducts TRL data generation processing that differs slightly from theTRL data generation processing shown in embodiment 2, and content keydistribution device 120 conducts TRL collation processing that differsslightly from the TRL collation processing shown in embodiment 2.

TRL Structure

FIG. 17 shows a data structure of a TRL in embodiment 3.

In FIG. 17 is shown an exemplary data structure of a TRL correspondingto when the number of terminals is in the hundreds of millions or more.

As shown in FIG. 17, the TRL is structured from 8-bit versioninformation 410, 128-bit issuer information 420, a 128-bit invalidatedterminal number 430, ID-related information 440, and 320-bit signatureinformation 450.

Version information 410, issuer information 420 and invalidated terminalnumber 430 are the same as version information 310, issuer information320 and invalidated terminal number 330 shown in embodiment 2.

ID-related information 440 is the same as ID-related information 340shown in embodiment 2 to the extent that it includes one or a pluralityof sets of 128-bit IDs 342 and 8-bit mask bits 343, and an entry number441 showing the number of sets. However, ID-related information 440further includes one or a plurality of 128-bit exception IDs 445 and anexception entry number 444 showing the number of exception IDs. If thenumber of exception IDs is given as M, a value shown by exception entrynumber 444 will be M.

Here, an exception ID 445 is the terminal ID of a terminal that is notinvalidated.

In ID-related information 440, the terminal IDs of a plurality ofterminal are expressed generically by a set of ID 442 and mask bit 443,and terminal IDs expressed by the set that are not invalidated-terminalIDs are shown by an exception ID 445.

Consider an example in which each terminal ID is 4 bits, the terminalsnumber 0 to 15, and all of terminals 8 to 15 except for terminal 10 areinvalidated. A content of ID-related information 440 in this case willbe formed by a set of an ID 442 “1000” and a mask bit 443 of value “1”,and an exception ID 445 “1010”.

Signature information 450 is a so-called digital signature created toreflect an entirety of version information 410, issuer information 420,invalidated terminal number 430, and ID-related information 440.

TRL Data Generation Processing

FIG. 18 is a flowchart showing TRL data generation processing, which isa part of the TRL generation/transmission processing conducted bymanagement device 110 in embodiment 3.

A terminal ID is described here as being an N-bit. N is, for example,128 bits.

TRL generation unit 112 in management device 110 conducts TRL datageneration processing after acquiring terminal IDs related toinvalidated terminals from invalidated-terminal ID acquisition unit 111(see FIG. 5).

First, TRL generation unit 112 stores the acquired terminal IDs in a IDworking area which is an area on a storage medium such as a memory orthe like (step S401), and with respect to a terminal ID, among theterminal IDs in the ID working area, for which there does not exist aterminal ID whose LSB only differs, TRL generation unit 112 generatesand stores the terminal ID whose LSB only differs in the ID workingarea, and retains the generated terminal ID as an exception ID (stepS402).

TRL generation unit 112 then stores two pieces of 1-bit bit data “0” and“1” in a bit working area which is an area on a storage medium such as amemory or the like (step S403), and sets “1” in variable X (step S404).

Following step S404, TRL generation unit 112 focuses on a piece of X-bitbit data in the bit working area that has not been focused on (stepS405), and counts the number of terminal IDs stored in the ID workingarea that satisfy a condition that the high order X bits match the bitdata currently being focused on (step S406).

When the counted number in step S406 is 2^((N-X)) (step S407), TRLgeneration unit 112 deletes the terminal IDs satisfying the condition instep S406 (step S408), and with respect to the terminal IDs satisfyingthe condition, determines the value of variable X as a mask bit, anddetermines an N-bit bit string having the high order X bits set to bethe same as the bit data currently being focused on and the remainingbits set to “0” as an ID, retains the determined mask bit and ID as aset in an area of a storage medium such as a memory or the like (stepS409), and conducts the step S410 judgment.

In the case that the counted number in step S406 is not 2^((N-X)) (stepS407), if two or more of the terminal IDs satisfying the condition instep S406 have an X+1^(th) bit from the MSB that is “0”, TRL generationunit 112 stores, in the bit working area, bit data formed by adding a1-bit “0” to the low order of the bit data being focused on (step S411),and if two or more of the terminal ID satisfying the condition have anX+1^(th) bit from the MSB that is “1”, TRL generation unit 112 stores,in the bit working area, bit data formed by adding a 1-bit “1” to thelow order of the bit data being focused on (step S412), and conducts thestep S410 judgment.

In step S410, TRL generation unit 112 judges whether there exists apiece of X-bit bit data that has yet to be focused on, and when thereexists a piece of X-bit bit data yet to be focused on (S410=YES), TRLgeneration unit 112 returns to step S405, and conducts processing tofocus on the next piece of bit data, and when there does not exist apiece of X-bit bit data yet to be focused on (S410=NO), increasesvariable X by “1” (step S413), and judges whether variable X equals N(step S414).

When variable X does not equal N (S414=NO), TRL generation unit 112returns to step S405, and conducts processing to focus on the next pieceof bit data, and when variable X equals N (S414=YES), TRL generationunit 112 ends the TRL data generation processing.

Here, in embodiment 3, the TRL construction shown in step S23 of FIG. 5is executed by adding, in addition to a version, issuer information, aninvalidated-terminal number and signature information, an entry numberto the one or plurality of sets of mask bits and IDs retained in an areaof a storage medium as a result of the above TRL data generationprocessing, and an entry number to the exception ID.

TRL Collation Processing

FIG. 19 is a flowchart showing TRL collation processing, which is a partof the content key transmission processing conducted by content keydistribution device 120 in embodiment 3.

Collation unit 126 in content key distribution device 120 conducts TRLcollation processing every time a terminal ID sent from a terminal isobtained by transmission request reception unit 125.

Collation unit 126 checks whether a terminal ID sent from a terminalmatches a terminal ID shown by one of the sets of IDs and mask bits inID-related information in the TRL (steps S421-424).

More specifically, collation unit 126 focuses on a mask bit in the TRLthat has yet to be focused on, derives mask data corresponding to avalue of the mask bit as described above (step S421), computes a bitwiseAND of the terminal ID sent from the terminal and the derived mask data(step S422), and judges whether the computed AND matches an ID 342 in aset with the mask bit 343 being focused on (step S423).

If judged in step S423 to be a matched (S423=YES), collation unit 126checks whether the terminal ID sent from the terminal matches anexception ID in the TRL (step S426), and if not matched (S426=NO),judges the terminal ID acquired from the terminal to be the terminal IDof an invalidated terminal (step S427), and ends the collationprocessing. If judged in step S426 to be a matched (S426=YES), collationunit 126, judges the terminal ID acquired from the terminal to not bethe terminal ID of an invalidated terminal (step S425), and ends thecollation processing.

If judged in step S423 that the computed AND does not match the ID 342in the set with the mask bit 343 being focused on (S423=NO), collationunit 126 judges whether all of the mask bits 343 in the TRL have beenfocused on and had the step S421 to S423 processing conducted (stepS424), and if all of the mask bits 343 have not been focused on and hadthe step S421 to S423 processing conducted (S424=NO), collation unit 126returns to step S421, focuses on a mask bit that has yet to be focusedon and conducts processing.

If judged in step S424 that the processing has been completed for allthe mask bits (S424=YES), collation unit 126 judges the terminal IDacquired from the terminal to not be the terminal ID of an invalidatedterminal (step S425), and ends the TRL collation processing.

Observations

According to the content key distribution system shown in embodiment 3,if, for example, a couple of dozen terminals having consecutive serialnumbers and whose terminal IDs have bit strings in which a number ofhigh order digits are the same, are all invalidated terminals except fora few, it is possible to specify invalidated terminals using a TRL inwhich the IDs that include bit strings having the same value digits aredetermined as IDs in the ID-related information of the TRL, a valueshowing the number of digits of the sections that are the same isdetermined as a mask bit forming a set with the ID, and terminal IDsrelating to the few terminals that are not invalidated are determined asexception IDs in the ID-related information. As a result, it is possibleto suppress to data volume of a TRL.

Embodiment 4

The following describes a content distribution system according to anembodiment 4.

FIG. 20 is a structural diagram of a content key distribution systemaccording to embodiment 4 of the present invention.

In comparison with management device 110 in content key distributionsystem 100 shown in embodiment 1, which was for transmitting a TRL tocontent key distribution device 120 via a communication channel, incontent key distribution system 500 according to embodiment 4, amanagement device 510 is structured to store a TRL on a storage medium501 such as an optical magnetic disk or the like, and a content keydistribution device 520 is structured to read the TRL from storagemedium 501.

In FIG. 20, elements that are basically the same as those in embodiment1 (see FIG. 1) are shown using the same reference numbering, and adetailed description of these elements is omitted here.

Management device 510 is, for example, a computer or the like installedin an organization that conducts operations relating to the protectionof the copyright and the like of content, and conducts processing togenerate a TRL that has as main content, information for specifying allterminals with respect to which protection of copyright and the like canno longer be guaranteed due to a decryption key stored therein havingbeen disclosed (i.e. all terminals to which an encrypted content keyshould not be distributed), and for storing the generated TRL on astorage medium. Management device 510 includes invalidated-terminal IDacquisition unit 111, TRL generation unit 112, and a TRL storage unit513, and is capable of mounting storage medium 501, which is an opticalmagnetic disk or the like.

Here, TRL generation unit 112 functions to generate a TRL whose maincontent is information specifying invalidated terminals, based on theterminal IDs provided by invalidated-terminal ID acquisition unit 111,and to convey the generated TRL to TRL storage unit 513.

TRL storage unit 513 functions to store a TRL conveyed from TRLgeneration unit 112 on storage medium 501 mounted in management device510.

Management device 510 conducts TRL generation/transmission processing inwhich step S24 shown in FIG. 5 is replaced by processing to record a TRLon a storage medium.

Storage medium 501 having a TRL stored therein by management device 510is delivered to content key distribution device 520. For example, everytime a TRL having new content is generated, the TRL may be stored on astorage medium, and delivered to a content key distribution device.

Content key distribution device 520 is a computer for conducting contentkey distribution processing that involves transmitting an encryptedcontent key to terminals from which a transmission request for a contentkey has been received, so long as the terminal is not an invalidatedterminal. Functionally, content key distribution device 520 includes TRLstorage unit 121, a TRL reading unit 522, content key storage unit 123,encryption key storage unit 124, transmission request reception unit125, collation unit 126, encryption unit 127, and encrypted content keytransmitting unit 128, and is capable of mounting storage medium 501(eg. optical magnetic disk, etc.).

Here, TRL reading unit 522 functions to read a TRL from storage medium501 mounted in content key distribution device 520, and to store theread TRL in TRL storage unit 121.

Consequently, in content key distribution system 500, management device510 and content key distribution device 520 can realize transfer, evenwhen not connected by a communication channel.

A TRL employed in embodiment 4 may be a TRL as shown in any ofembodiments 1 to 3, and the content key distribution device may bestructured to conduct TRL collation processing and the like as requiredby the structure of the TRL.

Supplementary Matters

An encryption communications system according to the present inventionis described above in embodiments 1 to 4 when applied as a content keydistribution system. The present invention is, however, not limited toembodiments such as these. More specifically:

-   (1) In embodiments 1 to 3, a communication channel is shown for    distributing a TRL between a management device and a content key    distribution device, and in embodiment 4, a storage medium is shown    for use in delivering a TRL. However, a TRL may be transferred    between a management device and a content key distribution device    using a combination of a communication channel and a storage medium.    For example, a TRL may be delivered on a storage medium from a    management device to a separate communications device, and the TRL    may be distributed from the communications device to a content key    distribution device via a communication channel.-   (2) A content playback device shown in the above embodiments is not    necessarily required to send a transmission request to a content key    distribution device after acquiring encrypted content, and may, for    example, acquire and conduct playback of encrypted content after    acquiring a content key.-   (3) Each content playback device shown in the above embodiments is    structure to hold a decryption key unique to the content playback    device, and a content key distribution device is structured to hold    encryption keys that correlate one-to-one with the decryption keys.    However, a content playback device may be structured to have a    plurality of decryption keys, and to include, in the transmission    request sent to a content key distribution device, a decryption key    ID for identifying a decryption key. Furthermore, the content key    distribution device may hold, in correspondence with the decryption    key IDs, encryption keys correlating with all of the decryption    keys, and may transmit a content key to the content playback device    using an encryption key corresponding to the sent decryption key ID.    In this case, it is preferable to structure the system such that,    instead of terminal IDs of invalidated terminals, decryption key IDs    corresponding to decryption keys to be invalidated are specify by    ID-related information in a TRL such as shown in the embodiments,    and that in the TRL processing and the like, decryption keys are    targeted for collation rather than terminal IDs.

Furthermore, decryption keys and decryption key IDs may be stored on anIC card or the like that is mountable in a content playback device.

-   (4) In embodiment 1 to 3, TRL generation unit 112 in the management    device automatically generates a TRL by TRL data generation    processing (FIGS. 10, 14, 18) and the like. However, an algorithm    for generating the ID-related information in a TRL is not limited to    this. Furthermore, a TRL may be generated by receiving an input    operation from an operator or the like, or a TRL generated in an    external device may be distributed by TRL transmitting unit 113    after being acquired from within the management device.

Furthermore, a plurality of management devices may exist in a contentkey distribution system, and a TRL may be sent from one managementdevice to another management device. Furthermore, a management devicemay conduct the transmission of a TRL when a request is sent to themanagement device from a content key distribution device, and a contentkey distribution device may request a management device to sent a TRLperiodically or when there is a transmission request from a terminal.

-   (5) A content of the data structure of terminal IDs shown in    embodiment 2 does not necessarily have to be as shown in FIG. 12.    However, it is possible to reduce the data volume of a TRL when, for    example, all of the terminals from a particular manufacturer are    invalidated terminals, by having bit strings expressing a    manufacturer, product and the like included in terminal IDs.

Furthermore, in embodiment 2, an example is given which defines terminalIDs as expressing manufacturer IDs by high order bit strings. However,terminal IDs may be defined as expressing manufacturer IDs by low orderbit strings in a terminal ID, or as expressing manufacturer IDs byintermediate bit strings between high and low order bit strings.

-   (6) Although a mask bit in ID-related information in a TRL shown in    embodiment 2 is, for example, fixed-length data of 8 bits or the    like, the mask bit may be variable-length data and paired with    information showing the data length.-   (7) In relation to ID-related information obtained as a result of    the TRL data generation processing shown in embodiment 3, when a    terminal ID is 128 bits, and the ID-related information includes an    exception ID and a set having an ID whose LSB is “0” and a mask bit    of “127”, the set and the exception ID may be deleted, and a set    added to the ID-related information that has mask bit of “128” and a    bit string obtained by inverting the LSB of the exception ID as an    ID.

Furthermore, in embodiment 3, each exception ID is described as showinga single terminal ID, although instead of the exception ID shown in FIG.17, exception group information that includes one or a plurality of setsof exception IDs and exception mask bits may be included in theID-related information of a TRL. In other words, the ID-relatedinformation may be structured such that all terminal IDs except for theterminal IDs shown by the exception ID/exception mask bit sets are theterminal IDs of invalidated terminals.

-   (8) In embodiments 1 to 4, an example is given of an encryption    communications system according to the present invention being    applied in a content key distribution system. However, if the    communications system is one that receives terminal IDs from    terminals, judges whether or not those terminals are invalidated    terminals, and determines whether or not to execute some sort of    communication processing depending on the judgment result, then the    communication processing content is not especially limited to    transmitting encrypted content keys. For example, it is acceptable    to determine, depending on the result of the judgment as to whether    a terminal is invalidated, whether to execute processing for    receiving important data sent from the terminal after being    encrypted by performing an encryption unique to the terminal.-   (9) A computer program for having a computer or the like execute the    processing procedures of the content key distribution system shown    in embodiments 1 to 3 (i.e. the procedures shown in FIGS. 5˜7, 10,    11, 14, 16, 18, 19, etc.) can be distributed by being stored on a    storage medium or be being circulated via any of a variety of    communication channels or the like. The storage medium may be an IC    card, an optical disk, a flexible disk, a ROM, or the like. A    computer program distributed by circulation via a communication    channel or the like may be submitted for use by being installed or    the like in a computer or the like, and the computer or the like can    conduct processing such as that shown in embodiments 1 to 3 by    executing the computer program.

INDUSTRIAL APPLICABILITY

The encryption communications system of the present invention isapplicable as, for example, a content key distribution systemconstituted by a plurality of terminals, computers, or the like, forproviding the copyright protection of digital content.

1. An encryption communications system comprising: an encryption communications device; a plurality of terminals that are each operable to transmit to the encryption communications device an identifier, which is a bit string having a predetermined number of bits and is held by the respective terminal; and a management device that is operable to generate invalidation information showing one or more of the identifiers as information specifying one or more terminals to be invalidated, wherein the management device includes: an invalidation information generation unit operable to generate the invalidation information using a data format that generically expresses, by information specifying a value of a section in a bit string having the predetermined number of bits, all identifiers in which a value of the section matches the specified value; and an output unit operable to output the generated invalidation information, the encryption communications device includes: an invalidation information acquisition unit operable to acquire the invalidation information outputted by the management device; an identifier receiving unit operable, when an identifier is transmitted from one of the terminals, to receive the identifier; a judging unit operable to judge whether the received identifier matches any of the one or more identifiers shown by the invalidation information as information specifying one or more terminals to be invalidated; and a communication unit operable to (i) when judged to not be any matches, conduct a predetermined communication with the terminal that transmitted the identifier, and (ii) when judged to be a match, not conduct the predetermined communication with the terminal, the invalidation information (i) includes one or more sets of value and position information, each piece of value information showing a value of a section of a bit string having the predetermined number of bits, and a corresponding piece of position information specifying a bit position of the section in the bit string, and (ii) is information specifying, as a terminal to be invalidated, all terminals holding an identifier in which a value of a partial bit string located in a bit position specified by a piece of position information matches a value shown by a piece of value information corresponding to the piece of position information, and the judging unit (i) verifies, for each piece of position information, whether a value, in the received identifier, of a partial bit string located in a bit position specified by the piece of position information matches a value shown by a piece of value information corresponding to the piece of position information, and (ii) judges, when verified that there is at least one match, that the received identifier matches an identifier shown by the invalidation information.
 2. An encryption communications device for conducting communications with a plurality of terminals, each of which holds an identifier, which is a bit string having a predetermined number of bits, the encryption communications device comprising: an invalidation information acquisition unit operable to acquire, from an external source, invalidation information that shows the one or more identifiers held by one or more terminals as information for specifying one or more terminals to be invalidated, the invalidation information being structured using a data format that generically expresses, by information specifying a value of a section in a bit string having the predetermined number of bits, all identifiers in which a value of the section matches the specified value; an identifier receiving unit operable, when an identifier held by a terminal is transmitted from the terminal, to receive the identifier; a judging unit operable to judge whether the received identifier matches any of the one or more identifiers shown by the invalidation information as information specifying one or more terminals to be invalidated; and a communication unit operable to (i) when judged to not be any matches, conduct a predetermined communication with the terminal that transmitted the identifier, and (ii) when judged to be a match, not conduct the predetermined communication with the terminal, wherein the invalidation information (i) includes one or more sets of value and position information, each piece of value information showing a value of a section of a bit string having the predetermined number of bits, and a corresponding piece of position information specifying a bit position of the section in the bit string, and (ii) is information specifying, as a terminal to be invalidated, all terminals holding an identifier in which a value of a partial bit string located in a bit position specified by a piece of position information matches a value shown by a piece of value information corresponding to the piece of position information, and the judging unit (i) verifies, for each piece of position information, whether a value, in the received identifier, of a partial bit string located in a bit position specified by the piece of position information matches a value shown by a piece of value information corresponding to the piece of position information, and (ii) judges, when verified that there is at least one match, that the received identifier matches an identifier shown by the invalidation information. 